ControlCase is a global provider of IT Certification and Continuous Compliance services.
Our offerings enable clients to effectively manage their IT Governance, Risk Management and Compliance Management efforts.
ControlCase is accredited to multiple IT standards as a certification assessor and auditor.
ISO 27001 FAQ
4.1 – Understanding the Organization and its Context – outlines the organization and context
4.2 – Understanding the Needs and Expectations of Interested Parties – addresses the needs and expectations of your organization’s interested parties
4.3 – Determining the Scope of the Information Security Management System – a crucial part of the ISMS as it will tell stakeholders, including senior management, customers, auditors and staff, what areas of your business are covered by your ISMS
4.4 – Information Security Management System – deals with how the organization implements, maintains and continually improves the information security management system.
5.1 – Leadership & Commitment – emphasizes the importance of information security being supported, both visibly and materially, by senior management.
5.2 – Information Security Policy – requires that top management establish an information security policy
5.3 – Organizational Roles, Responsibilities & Authorities – ensures that the roles, responsibilities and authorities are clear for the information security management system
6.1 – Actions to Address Risks and Opportunities – addresses planning of actions to address risks and opportunities
6.2 – Information Security Objectives & Planning to Achieve them – assesses the protecting confidentiality, integrity and availability (CIA) of the information assets in scope.
7.1 – Resources – ensures the provision of adequate level of resource into the establishment, implementation, maintenance and continual improvement of the information security management system.
7.2 – Competence – addresses the competence of people doing the work on the ISMS that could affect its performance
7.3 – Awareness – ensures the persons doing the work are aware of information security practice and policies
7.4 – Communication – looks at communication across what, when, who, how
7.5 – Documented Information – addresses the description of the information security management system and then to demonstrate how its intended outcomes are achieved for the organization.
8.1 – Operational Planning & Control – is about planning, implementation and control to ensure the outcomes of the information security management system are achieved.
8.2 – Information Security Risk Assessment – ensures risk assessments are performed at planned intervals and when changes require it
8.3 – Information Security Risk Treatment – requires organizations to to implement the information security risk treatment plan and retain documented information on the results of that risk treatment.
9.1 – Monitoring, Measurement, Analysis and Evaluation – evaluates how the ISMS is performing and look at the effectiveness of the information security management system.
9.2 – Internal Audit – ensures internal audits are conducted at planned intervals
9.3 – Management Review – ensures senior management conduct the management review for ISO 27001
10.1 – Nonconformity and Corrective Action – concerns the actions an organization takes to address information security orientated nonconformities
10.2 – Continual Improvement – ensures continual evaluation and improvement of the ISMS.